An attacker in a privileged network position, such as an ISP or the owner of a malicious hotspot, can cause an HTTPS request to be repeated by disrupting the TLS connection to the client browser at the right moment. Modern browsers usually retry failed requests automatically, which makes this attack invisible to the end user.

(and how to audit your phone's application traffic yourself)

It might sound weird to accuse Foursquare of collecting location data since that is the whole point of the service, but Foursquare is overstepping its bounds by constantly keeping track of their users' every move (and more) -- even if they never open the app.

My current bank, one of Brazil's largest, provides its clients with one of several methods (in addition to their passwords) to authenticate to their accounts, online and on ATMs. I reverse engineered their Android OTP code generator and ported it to an Arduino-compatible microcontroller.